If you are seeing this message, Javascript is disabled. Disclaimer for all external links found on this page: The Office of Inspector General (OIG) for the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau does not necessarily endorse the views expressed or the facts presented on the external sites. The OIG does not endorse any commercial products that may be advertised or on the external sites. The OIG's privacy policy does not apply on the external sites. Please check the site for its privacy notice.

SHARE THIS PAGE

STAY CONNECTED

available formats

Full Report:

The Bureau of Consumer Financial Protection (Bureau) collects and stores sensitive information, including confidential supervisory information and personally identifiable information, to support many of its mission-critical activities. Unauthorized access to or disclosure of this information, through internal or external threats, could undermine the public's trust in the Bureau and limit its ability to accomplish its mission.

Information security continues to be a key risk in the federal government, and as is the case for most federal agencies, the Bureau faces challenges in effectively securing its information technology systems and infrastructures from evolving threats. Although the Bureau continues to mature its information security program, it faces challenges in centralizing and automating processes to better manage insider risks; ensuring that automated feeds from all systems, including contractor-operated systems, feed into the Bureau's security information and event management tool; and aligning its information security program, policies, and procedures with the agency's evolving enterprise risk-management program.

To monitor and protect against the unauthorized transfer of data and other internal and external threats, the Bureau's cyberoperations team coordinates with its network provider, which assists with monitoring and detecting exfiltration and other threats to the agency's external network perimeter. The Bureau also completed an independent penetration test, which found no significant information security issues. However, the Bureau has not fully implemented an insider threat program that includes data loss prevention technologies to better integrate its activities in these areas.

We noted that the Bureau recently reassessed its open-access-within-each-region approach that previously afforded examiners broader access to confidential supervisory information and personally identifiable information than was needed to perform their job duties. We expect that the associated policy change will help to protect this sensitive information going forward; however, we have not assessed the implementation of the new policy or reviewed the Bureau's planned approach for ensuring that it operates in a manner that is consistent with the updated policy.

The prior open-access approach increased the risk of insider abuse of that information. An insider threat program could enable the agency to better prevent and detect unauthorized access to and disclosure of its sensitive information, particularly within its internal network. Likewise, the Bureau is in the process of fully implementing multifactor authentication for its internal system users. Multifactor authentication is in place for remote access and is enabled for privileged access to some cloud environments; however, full adoption would provide greater assurance that only authorized individuals are accessing Bureau systems and data.

The Bureau has also developed and implemented an effective information security continuous monitoring program. For example, the Bureau has implemented a centralized logging information tool for Bureau systems that provides it with enhanced alert capabilities and metrics to gauge effectiveness. However, not all of the Bureau's systems, including those operated by third parties, feed the necessary information into the tool. Further, the Bureau can ensure that its information security continuous monitoring program remains effective by automating tools for several of its manual processes.

Consistent with the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the Bureau is continuing to align its information security program and related policies and procedures to the National Institute of Standards and Technology Cybersecurity Framework. The executive order emphasizes the importance of strengthening information security risk-management processes. In addition, recent federal guidance emphasizes the importance of agencies' implementing enterprise risk-management processes. As the Bureau matures its enterprise risk-management program by developing a risk appetite statement and tolerance levels, it will face challenges in aligning and updating its information security program to enable a consistent view of risks across the agency.

Further, the executive order highlights the importance of building a strong cybersecurity workforce, and the Bureau plans to leverage the National Initiative for Cybersecurity Education framework for determining the training requirements for cybersecurity personnel. The Bureau has experienced turnover in key information technology positions, which may delay its ability to meet the cybersecurity workforce goals of the executive order.

Other Related Information

An agency's response to changes to its human capital environment have a direct effect on its ability to carry out its mission efficiently and effectively. Since beginning operations in 2011, the Bureau has worked to build its human capital program and develop a diverse, high-performing, and engaged workforce. The Bureau's human capital leadership must adapt to recent changes at the agency, including changes in leadership, strategic direction, and organizational structure, as well as recent Bureau workforce directives, to help ensure that employees' skills are best leveraged.

In February 2018, the Bureau's leadership issued its fiscal years 2018–2022 strategic plan that refocuses the agency's priorities and commits the agency to fulfill only the Bureau's statutory responsibilities as established in the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). As part of the new strategic direction, the Bureau has also updated its mission to more closely align with the Dodd-Frank Act. In addition, the Bureau's leadership has made some organizational changes that will affect the roles and responsibilities of the Bureau's workforce. To address these organizational changes, the Office of the Director established a cross-divisional team of division managers, resource management officers, Office of Human Capital personnel, Legal Division personnel, and other stakeholders. The human capital program will need to remain adaptive and continue to provide the Bureau with support, such as assisting with job description reviews and adjusting workforce resources, to better align with the revised strategic direction at the Bureau.

Guidance issued by the Office of Management and Budget (OMB) to improve management of the federal workforce also has affected the Bureau. OMB Memorandum M-17-22, Comprehensive Plan for Reforming the Federal Government and Reducing the Federal Civilian Workforce, directs executive branch departments and agencies to identify and begin taking actions to reduce the federal workforce in order to reduce costs and improve efficiencies. In response to this memorandum, the Bureau established a hiring authorization process for planning and prioritizing hiring across the agency to promote the accomplishment of the Bureau's mission and align with key elements of the memorandum. In addition, the Bureau's leadership instituted an agencywide hiring freeze, with limited exceptions having been approved for those positions deemed critical. To fill vacancies, the Bureau has been reallocating staff resources through reassignments or detail opportunities. As part of the process for reallocating staff resources, human capital management is monitoring reassignments to ensure that they are distributed in such a way as to minimize the effect on the Bureau's ability to meet workload demands. Some of these vacancies are for highly specialized skill sets, and the Bureau may face challenges in identifying the necessary skill sets in its current workforce.

The Office of Human Capital's efforts to establish workforce planning have been affected by the hiring constraints at the Bureau. Workforce planning can help the Bureau better align its human capital resources with its current and emerging mission and programmatic goals. In June 2018, the Bureau internally filled a position to focus on workforce planning, with an emphasis on data analysis to identify trends within the Bureau, including trends in the current skill sets of the workforce and any skill gaps. This workforce-planning position will also be responsible for succession planning. A formal succession-planning program could help the Bureau promote diversity in senior management and mission-critical positions. Having a workforce-planning program in place would help the Bureau respond to evolving workforce expectations and changes in agency leadership. The Bureau's human capital program will need to remain adaptive as the agency's operational environment changes and to continue to identify strategies to overcome such challenges.

Internal control activities serve as the first line of defense in safeguarding assets; preventing impairments to operations; and helping to ensure compliance with provisions of contracts, laws, regulations, and other agreements. Effective internal controls help an organization adapt to shifting environments, evolving demands, changing risks, and new priorities. Over the past year, our office and an independent public accountant continued to identify programs in which the Bureau can further strengthen its internal controls in order to mitigate financial, operational, and reputational risks. The Bureau has taken steps to strengthen its internal controls and manage risk, including implementing an enterprise risk-management program.

The Bureau should continue to strengthen its controls for contract financing and management, offboarding, and its privacy and travel programs. Specifically, we have found the following through our audit and evaluation work:

The Bureau did not comply with Federal Acquisition Regulation requirements concerning contract financing and conducting and documenting annual blanket purchase agreement reviews for one of its largest contracts. In addition, program staff did not verify actual contractor expenses by obtaining and reviewing supporting source documents.

The Bureau needs to strengthen its offboarding processes for employees and contractors, specifically with respect to returning information technology assets, deactivating building access badges, and preventing the sharing or removing of nonpublic records.

The Bureau can further strengthen its travel program by ensuring that travelers and approving officials receive proper guidance on documenting multicity trips and personal leave taken during official travel.

In addition to our work, an independent audit identified deficiencies related to controls over budget execution. The report noted that the agency did not establish adequate procedures for reviewing and deobligating unsubstantiated obligations in a timely manner. Another independent audit found that the Bureau needs to strengthen its privacy program, specifically with respect to expanding its inventory of personally identifiable information to include data used by the Office of Human Capital, the Office of Administrative Operations, and the Office of the Chief Financial Officer, and to strengthening its physical controls over its portable media, such as laptops and smartphones.

In addition to our specific audit and evaluation findings and those of independent auditors, we note that the Bureau needs to update its policies to reflect changes to its organizational structure and responsibilities. The Bureau has acknowledged in its strategic and performance plans the importance of being a responsible steward of resources. Further, it has acknowledged that achieving operational excellence requires the Bureau to mature and adapt policies, procedures, tools, and controls to operate more efficiently, effectively, and transparently. Therefore, the Bureau has committed to maintaining effective internal controls and to following appropriate models for internal controls, such as the Federal Managers' Financial Integrity Act of 1982; the objectives on financial reporting as established under the Dodd-Frank Act; and best practices provided in OMB's OMB Circular A-123: Management's Responsibility for Enterprise Risk Management and Internal Control.

The Bureau continues to strengthen internal controls for its various programs, including filling gaps in its policies and implementing new systems to improve operations. It reported several corrective actions it plans to implement to address control weaknesses, including but not limited to the following:

enhancing policy and associated training to address contract financing and requesting and reviewing supporting documents to verify unliquidated prepayment amounts so that unspent funds can be properly refunded and deobligated

monitoring the accuracy of separation data, including implementing an additional reconciliation process

conducting semiannual reviews of open obligations to determine whether they remain valid, can be deobligated, or need to be adjusted, and refining its contract closeout process

developing a complete inventory of the personally identifiable information housed at the Bureau and exploring ways to centralize information related to operational datasets

The Bureau has also made additional progress in establishing an agencywide enterprise risk-management program. It recently developed a customized maturity model based on commonly used best practices and is exploring options for an external assessment of its enterprise risk-management program. Finally, the U.S. Government Accountability Office has reported that the Bureau maintained effective internal control over financial reporting. Specifically, during fiscal year 2017, the Bureau took sufficient actions to address the internal control deficiencies related to controls over accounting for property, equipment, and software.

Related OIG Reports

The Bureau's Travel Card Program Controls Are Generally Effective but Could Be Further Strengthened, OIG Report 2018-FMIC-C-014, September 26, 2018

The Bureau Could Have Better Managed Its GMMB Contract and Should Strengthen Controls for Contract Financing and Contract Management, OIG Report 2018-FMIC-C-011, June 20, 2018